Did Credit Card Scammer War Drive?

from the evidence-please? dept

There's a story making the rounds this morning about a teenager being charged with credit card fraud. He apparently got credit card numbers somehow, made up fake cards, and gave them to people to buy stuff. What's unclear, however, is how he got the card numbers. The article claims: "They believed that he was gathering credit card numbers online or parking in residential neighborhoods and capturing wireless transmissions of financial information on his laptop." Gathering credit card numbers online is fairly common, but the claim that he was getting them via wireless networks deserves more scrutiny. It is certainly possible, but it's pretty difficult. Even if your WiFi network is unprotected, most websites that require a credit card entry will use encryption, meaning he should not have been able to get the card numbers that way. Because the press seems to really like writing up stories about war drivers stealing credit cards, it's only a matter of time until this aspect of the story gets more attention -- but there should be a little more evidence to show that he actually obtained credit card numbers this way, and an explanation of how that happened if people were using sites that used encryption.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 11 Feb 2005 @ 1:23pm

    Probably easier than you think.

    While it's true that most credit card-accepting sites will use SSL encryption, it's not always clear how weak the 'human' aspect of that security chain is. It's actually fairly easy to associate with a wireless network and spoof clients into forwarding all outbound traffic to you instead of the router. Once that is done, it's possible to set up a website proxy which uses a fake SSL certificate on the client side and establishes a real SSL connection with the server.
    When this happens, the client does get a warning box from their browser saying that it couldn't verifiy the SSL certificate of the server, but how often do you think people are willing to click "Ok" to a warning box that they don't understand? Probably more often than anybody would like to admit. Once the user clicks ok, the "encrypted" session goes on unhindered with the eavesdropper listening in to everything being said.
    People don't understand the gravity of certificate-verification warning boxes. If your browser isn't able to verify a SSL certificate with a central authority, then the chain of trust is broken and any claims to security are null and void.

    link to this | view in thread ]

  2. identicon
    Chomper, 11 Feb 2005 @ 1:25pm

    No Subject Given

    There are much easier ways to get CC #'s that people are totally oblivious about.

    I won't name the restaraunt, but while there and waiting for a table, they had that nights receipts on the table where the hostess sits and in plain sight were receipts with full credit card numbers along with expiration dates. One shot with a camera phone and those people would have been screwed.

    Unfortunatley, a lot of the press are brain dead in terms of technology and have no right to be talking about it, but this stuff does happen.

    Another scenario is when people hold out their credit cards while in line waiting to pay, a simple, indiscreet capture of that, again with a camera phone or other type of device and gone.

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 11 Feb 2005 @ 1:36pm

    Camera Phone theory

    Chomper,

    While I'll agree with you that # stealing is eas & usually doesn't have to rely on technology ... the camera phone theory has already been shot down.

    Somebody got the links ?

    link to this | view in thread ]

  4. icon
    Mike (profile), 11 Feb 2005 @ 1:39pm

    Re: Camera Phone theory

    How about links right here at Techdirt:

    http://www.techdirt.com/articles/20041223/1438218.shtml

    Yeah, that cameraphone story isn't true. So far, there aren't many cameraphones out there good enough to snap a photo of credit card numbers. However, it could be an issue at some point, though you hope, by then, people are smart enough to notice someone fiddling with their phone nearby.

    link to this | view in thread ]

  5. identicon
    Ask Bjørn Hansen, 11 Feb 2005 @ 3:02pm

    Residential neighborhoods?

    There have been stories about people doing this near Big Chain Store Inc. where they used wireless from the cash register or such, but residential neighborhoods? As you point out, it doesn't seem likely...
    - ask

    link to this | view in thread ]

  6. identicon
    saleh, 11 Feb 2005 @ 4:50pm

    Possible, and relatively easy

    While the wifi attack may or may not have been used in this case, it would be trivial to accomplish.

    Rather than a fancy SSL man-in-the-middle attack, just connect to the (likely unsecured) wifi and install a browser helper (on the likely insecure PC) that keylogs whenever an interesting site is accessed. Come back a month or two later, get the logs, and wipe out the keylogger.

    For the finishing touch, use the victim's own wifi network to connect to the bank and drain his account. The logged IP (that of the router/firewall) would belong to the victim.

    link to this | view in thread ]

  7. icon
    Mike (profile), 11 Feb 2005 @ 4:54pm

    Re: Possible, and relatively easy

    Rather than a fancy SSL man-in-the-middle attack, just connect to the (likely unsecured) wifi and install a browser helper (on the likely insecure PC) that keylogs whenever an interesting site is accessed. Come back a month or two later, get the logs, and wipe out the keylogger.

    Er... what are you installing a keylogger on? Even if you can get on an average WiFi network, it's much less likely you'll get access to someone's computer.

    link to this | view in thread ]

  8. identicon
    saleh, 12 Feb 2005 @ 9:44am

    Re: Possible, and relatively easy

    From my condo (not wardriving) I can get to two completely open access points. Both are fully browsable from Windows; the PCs on those networks advertise their names.

    If we assume those users took a minimal set baseline steps to secure their PCs (e.g. rename administrator account, use non-dictionary passwords, enable account lockout on invalid passwords, configure the event log to audit logon failures...) then you are correct. But, if someone's access point is blinking 12:00, how sophisticated is that end-user?

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.